Michael Mahemoff drops a line to asks how my html sanitization code handles input like:
1 | <a href="javascript:evilfunc();"> |
I think that the routine acquits itself pretty well. First, these exploits depend upon the existence of an evilfunc in the containing page. So you would need to either manually include the evilfunc in the page or explicitly allow the script tag in the sanitize_html options.
In addition, sanitize_html allows you to specify both the allowed tags and the allowed tag attributes. So you would have to allow the onmouseover attribute for the second exploit to survive the sanitization process.